Security Update

Jul 10, 2011, 11:27 pm
#1
capristo's avatar
The Imperialist


Joined: Dec 2, 2007
Location: New Attnam
Interests: bananas
Posts: 2,169
As I explained briefly earlier, the reason the hacker was able to retrieve some people's passwords was that they were encrypted using MD5 (because phpBB, the old forum software, also used it), which is susceptible to rainbow table attacks.

We're now using a much stronger encryption algorithm (SHA1 + a unique salt, looped multiple times).

I can now 99.9999999% guarantee that even if somebody were to get access to both the encrypted passwords and our unique salt, there is no way they could convert them into the unencrypted original values.

So, go change your password, esp. if you were on the list of people targeted earlier. After you change it you'll have to log in again.

The forum isn't safe yet, but I promise your passwords are.
Jul 11, 2011, 3:10 am
#2
Joined: Dec 4, 2007
Occupation: Perfect Soldier
Location: Astragius Galaxy
Interests: Fiana, Peace, Melons
Posts: 1,054
Well, thanks Cap.
Jul 11, 2011, 8:29 am
#3
Joined: Dec 3, 2007
Occupation: Chaos Weaver
Location: Standing between all life and death
Posts: 2,832
Indeed. Much appreciated.
Jul 11, 2011, 2:15 pm
#4
Joined: Nov 22, 2008
Interests: IVAN
Posts: 1,163
Thanks!
Jul 11, 2011, 2:32 pm
#5
Joined: Jul 6, 2011
Posts: 7
Thanks very much for the update and for fixing it!
Jul 19, 2011, 8:27 am
#6
capristo's avatar
The Imperialist


Joined: Dec 2, 2007
Location: New Attnam
Interests: bananas
Posts: 2,169
Another update - some of you might have noticed we had another white-hat hacker. The problem was that some of my code allowed for SQL injection, which is a really simple problem to fix, but something I hadn't taken the time to clean up yet. Again, this is the result of having years-old code, and I knew the problem was there but I figured with custom code we'd be safe until I finished rewriting the entire site. Stupid mistake.

Well, unlike the other one, this guy was actually helpful since he created an account and I was able to email him. He double checked the loophole he had found earlier and said it was fixed. Of course I won't feel completely comfortable until I'm done rewriting the code, but for now, at least the easy ways in are closed.

And now we just have to figure out why everything always seems to break with BDR...
Jul 19, 2011, 11:41 pm
#7
Joined: Dec 3, 2007
Occupation: Chaos Weaver
Location: Standing between all life and death
Posts: 2,832
Break Down Risk
Jul 27, 2011, 11:35 pm
#8
Joined: Dec 4, 2007
Occupation: Perfect Soldier
Location: Astragius Galaxy
Interests: Fiana, Peace, Melons
Posts: 1,054
Ahem...
Jump to